Thursday August 18, 2005
Tuesday August 16, 2005
15:20 | Humor
The liquidation of 1000 iBooks for $50 apiece resulted in a crowd of thousands
circling the event in their cars in Richmond, VA. Predictably, pandemonium ensued as people were trampled, someone
tried to drive their way through the crowd, and one woman pissed herself rather
than relinquish her place in line. The money quote comes from one Jesse
Sandler, though: Jesse Sandler said he wasn't a bit nervous when the stampede began: he was one
of the people pushing forward, using a folding chair he'd brought with him to
beat back people who tried to cut in front of him.
"I took my chair here and I threw it over my shoulder and I went, 'Bam,'" the 20-year-old said nonchalantly, his eyes glued to the screen of his new iBook, as he tapped away on the keyboard at a testing station.
I don't suppose they'd let him use his iBook behind bars? "I took my chair here and I threw it over my shoulder and I went, 'Bam,'" the 20-year-old said nonchalantly, his eyes glued to the screen of his new iBook, as he tapped away on the keyboard at a testing station.
Wednesday August 10, 2005
After three straight days of attacks, counterattacks, and constant caffeine
consumption, Shellphish triumphed among a worthy
field of eight teams to take first place at the 2005 DEFCON CTF! Kenshoto, the organizers who were tasked with following
the footsteps of the ghettohackers and
succeeded beyond all expectations, have posted the final scores on their site.
Slashdot has a story on the CTF, along
with SecurityFocus (which includes
Crispin Cowan's take on the setup), but for the blow-by-blow, read on.
There was much mystery and speculation swirling around the setup of this year's competition, as Kenshoto purposefully held back information on the physical setup of the network, how much access to the machines teams would have, what operating system would need to be defended, etc. When the day came and the setup was revealed, not everyone was happy, as Crispin's comments to SecurityFocus made clear. Incidentally, this makes two years in a row that LSM or SELinux-like systems have been undeployable (last year's team images were Windows-based). In particular, this year was a departure from previous setups as the images to be defended were jails on a single FreeBSD 5.4-RELEASE server hosted by kenshoto. Thus, no physical access, firewalls, kernel modifications, etc. were allowed. Nevertheless, I would have to dispute Crispin's claim that no defensive measures were possible on the part of the competing teams. Most services were easily patchable, a network tap provided by kenshoto allowed teams to sniff traffic to and from their jails, and more advanced defenses like syscall interposition were still possible.
As for the vulnerabilities themselves, these were mainly a smattering of web-based services, python scripts, and C-based network daemons. The web-related services were generally easy to deal with, as they could be instrumented and audited rather easily. The binary-only daemons, on the other hand, presented another problem altogether.
There was much mystery and speculation swirling around the setup of this year's competition, as Kenshoto purposefully held back information on the physical setup of the network, how much access to the machines teams would have, what operating system would need to be defended, etc. When the day came and the setup was revealed, not everyone was happy, as Crispin's comments to SecurityFocus made clear. Incidentally, this makes two years in a row that LSM or SELinux-like systems have been undeployable (last year's team images were Windows-based). In particular, this year was a departure from previous setups as the images to be defended were jails on a single FreeBSD 5.4-RELEASE server hosted by kenshoto. Thus, no physical access, firewalls, kernel modifications, etc. were allowed. Nevertheless, I would have to dispute Crispin's claim that no defensive measures were possible on the part of the competing teams. Most services were easily patchable, a network tap provided by kenshoto allowed teams to sniff traffic to and from their jails, and more advanced defenses like syscall interposition were still possible.
As for the vulnerabilities themselves, these were mainly a smattering of web-based services, python scripts, and C-based network daemons. The web-related services were generally easy to deal with, as they could be instrumented and audited rather easily. The binary-only daemons, on the other hand, presented another problem altogether.
To be continued...
Calendar
| « | August 2005 | » | ||||
|---|---|---|---|---|---|---|
| S | M | T | W | T | F | S |
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||